tcpdump -i eth0 -e -n not ether src host FF:FF:FF:FF:FF:FF

Options

-e — Print MAC address

-n — Do not resolve

MPV is the best lightweight video player that I want to improve for video professionals. The current version is to geeky for non-programmers who are not familiar with CLI. It hard to install and default config is not optimal.

What I want to change in MPV

Easy installation for macOS/Windows

Right not the only way to install MPV is to deal with CLI. I want to create a regular .app package that can be install just my drag-n-drop like any other applications on macOS or even upload it to App Store and Windows Store.

Valid signature

All modern OS require a signature. I can provide a signature for macOS and Windows from my company to sign the binaries for macOS and WIndows

Convert any video to H264 or DHNxHD for editing?

A simple option in GUI to convert any strange video format to most popular video codec ready to publish to the web or social media. Or decompress to the best editing codec.

Built-in cut feature

Easy to use cut feature to cut any part of video and export it to source codec without re-encoding or h264. Maybe this plugin https://github.com/familyfriendlymikey/mpv-cut

Suggestion for default settings

Default settings is not optimal for simple and fast operating. I suggest to change it to this:

.mpv/config

# resize window in case it's larger than screen
autofit-larger=90%x90%

# keep the player open when a file's end is reached
keep-open=yes

# disable interlace
deinterlace=no

# much faster fullscreen on macOS than native
no-native-fs

# correct window resizing with mouse wheel on hidpi macbooks
no-hidpi-window-scale

# improve playing performance at the cost of video quality
vd-lavc-fast
vd-lavc-skiploopfilter=all

.mpv/input.conf

🐛 The keyboard shortcuts works only with English keyboard layout. This bug should be fixed.

# Resize window with mouse scroll 
WHEEL_UP	add window-scale +0.0625
WHEEL_DOWN	add window-scale -0.0625

# Move back/forward by one frame
, frame-back-step ;show-text "${playback-time/full} / ${duration} (${percent-pos}%)\nframe: ${estimated-frame-number} / ${estimated-frame-count}"
. frame-step ; show-text "${playback-time/full} / ${duration} (${percent-pos}%)\nframe: ${estimated-frame-number} / ${estimated-frame-count}"

# Apply color filter in cycle
c-1 vf set "format=gamma=v-log:colorlevels=full:primaries=v-gamut" ; show-text "Panasonic V-Log"
c-2 set contrast 58 ; set brightness 0 ; set gamma -12 ; set saturation 10 ; show-text "My BMPCC4K"
c-0 vf clr "" ; set contrast 0 ; set brightness 0 ; set gamma 0 ; set saturation 0 ; show-text "Color cleared"

# Duplicate russian layout hotkeys because of MPV bug
# This bug should be fixed
й keypress "q"
ц keypress "w"
у keypress "e"
к keypress "r"
е keypress "t"
н keypress "y"
г keypress "u"
ш keypress "i"
щ keypress "o"
з keypress "p"
х keypress "["
ъ keypress "]"
ф keypress "a"
ы keypress "s"
в keypress "d"
а keypress "f"
п keypress "g"
р keypress "h"
о keypress "j"
л keypress "k"
д keypress "l"
ж keypress ";"
э keypress "'"
я keypress "z"
ч keypress "x"
с keypress "c"
м keypress "v"
и keypress "b"
т keypress "n"
ь keypress "m"
б keypress ","
ю keypress "."

./scripts/control.lua

-- Control 1.0.5
-- https://github.com/oe-d/control
-- See control.conf for settings and key binds

options = require 'mp.options'
u = require 'mp.utils'

o = {
    audio_device = 0,
    pause_minimized = 'no',
    play_restored = 'no',
    show_info = 'yes',
    info_duration = 1000,
    step_method = 'seek',
    step_delay = -1,
    step_rate = 0,
    step_mute = 'auto',
    htp_speed = 2.5,
    htp_keep_dir = 'no',
    end_rewind = 'file',
    end_exit_fs = 'no',
    audio_symbol='🔊 ',
    audio_muted_symbol='🔈 ',
    image_symbol='🖼 ',
    music_symbol='🎵 ',
    video_symbol='🎞 '
}

function init()
    options.read_options(o, 'control')
    if o.step_delay == -1 then o.step_delay = get('input-ar-delay') end
    if o.step_rate == -1 then o.step_rate = get('input-ar-rate') end
    if o.end_rewind == 'file' then mp.set_property('keep-open', 'always') end
    if o.show_info == 'start' then
        o.show_info = 'yes'
        osd:toggle()
    end
    osd.default_msg = function()
        if media.type == 'image' then
            return o.image_symbol
        elseif media.type == 'audio' then
            return o.music_symbol
        else
            local frame = get('frame')
            local frames = get('frames')
            if not frame or not frames then return o.video_symbol
            else frame = frame + 1 end
            local progress = math.floor(frame / frames * 100)
            return o.video_symbol..math.min(frame, frames)..' / '..frames..' ('..progress..'%)\n'
                ..format(math.max(get('pos') or 0, 0))..'\n'
                ..round(fps.fps, 3)..' fps ('..round(get('speed'), 2)..'x)'
        end
    end
    osd.msg_timer:kill()
    osd.osd_timer:kill()
    step.delay_timer:kill()
    step.delay_timer.timeout = o.step_delay / 1000
    step.hwdec_timer:kill()
    if o.audio_device > 0 then audio:set(o.audio_device) end
    mp.register_event('file-loaded', function() media:get_type() end)
    mp.observe_property('window-minimized', 'bool', function(_, v)
        if o.pause_minimized == 'yes' or o.pause_minimized == media:get_type() then
            if v then media.playback:on_minimize()
            elseif o.play_restored == 'yes' then media.playback:on_restore() end
        end
    end)
    mp.observe_property('playback-time', 'number', function(_, _)
        if osd.show then
            fps:tick()
            osd:set(nil, o.info_duration / 1000)
        end
    end)
    mp.observe_property('play-dir', 'string', function(_, v)
        if v == 'forward' and step.prev_hwdec then
            step.dir_frame = get('frame')
            step.hwdec_timer:resume()
        end
    end)
    mp.observe_property('eof-reached', 'bool', function(_, v)
        media.playback.eof = v
        if v and not step.played then
            if o.end_rewind ~= 'no' then
                local pos = tonumber(o.end_rewind)
                if pos then mp.set_property('playlist-pos-1', math.min(pos, get('playlist-count'))) end
                mp.add_timeout(0.01, function() media.playback.rewind(true) end)
            end
            if o.end_exit_fs == 'yes' then mp.command('set fullscreen no') end
        end
    end)
end

function split(string, pattern)
    local str = {}
    for i in string.gmatch(string, pattern) do
        table.insert(str, i)
    end
    return str
end

function round(number, decimals)
    decimals = decimals or 0
    return math.floor(number * 10 ^ decimals + 0.5) / 10 ^ decimals
end

function format(time)
    time = time or 0
    local h = math.floor(time / 3600)
    local m = math.floor(time % 3600 / 60)
    local s = time % 60
    return string.format('%02d:%02d:%06.03f', h, m, s)
end

function get(property)
    local props = {
        drops = 'frame-drop-count',
        e_fps = 'estimated-vf-fps',
        fps = 'container-fps',
        frame = 'estimated-frame-number',
        frames = 'estimated-frame-count',
        pos = 'playback-time'
    }
    for k, v in pairs(props) do
        if k == property then property = v end
    end
    return mp.get_property_native(property)
end

media = {
    type = nil,
    get_type = function(self)
        if get('track-list/0/type') == 'video' and get('frames') == 0 then
            self.type = 'image'
        elseif get('track-list/0/type') == 'audio' or get('track-list/0/albumart') == 'yes' then
            self.type = 'audio'
        else
            self.type = 'video'
        end
        return self.type
    end,
    playback = {
        eof = false,
        prev_pause = false,
        pause = function(self)
            if self.eof then
                self.rewind()
            else
                if get('pause') and step.stepped then
                    mp.commandv('seek', 0, 'relative+exact')
                    step.stepped = false
                end
                mp.command('set pause '..(get('pause') and 'no' or 'yes'))
            end
        end,
        rewind = function(pause)
            mp.commandv('seek', 0, 'absolute')
            mp.command('set pause '..(pause and 'yes' or 'no'))
        end,
        on_minimize = function(self)
            self.prev_pause = get('pause')
            mp.command('set pause yes')
        end,
        on_restore = function(self)
            if not self.prev_pause then mp.command('set pause no') end
            self.prev_pause = false
        end
    }
}

audio = {
    osd = true,
    prev_list = '',
    i = 0,
    set_prev_vol = false,
    prev_mute = false,
    prev_vol = 0,
    valid = true,
    get = function(self, index)
        local list = get('audio-device-list')
        if index and (index < 1 or index > table.getn(list)) then
            self.valid = false
            list[1].name = 'Invalid device index ('..index..')'
            list[1].description = list[1].name
            index = 1
        end
        return index and list[index] or list
    end,
    set = function(self, index)
        local name = self:get(index).name
        if self.valid then mp.command('no-osd set audio-device '..name) end
    end,
    list = function(self, list, show_index, duration)
        local msg = ''
        for i, v in ipairs(list) do
            local symbol = ''
            if v.name == get('audio-device') then
                symbol = (get('mute') or get('volume') == 0) and o.audio_muted_symbol or o.audio_symbol
            end
            i = show_index and i..': ' or ''
            msg = msg..i..symbol..string.gsub(v.description, 'Autoselect', 'Default')..'\n'
        end
        if self.osd then osd:set(msg, duration) end
    end,
    cycle = function(self, list)
        if u.to_string(list) ~= self.prev_list then self.i = 0 end
        self.prev_list = u.to_string(list)
        self.i = self.i == table.getn(list) and 1 or self.i + 1
        local remember_vol = false
        local index = 0
        local set_vol = false
        local vol = 0
        for i, v in ipairs(list) do
            local iv = split(v, '%d+')
            if i == (self.i > 1 and self.i - 1 or table.getn(list)) and string.find(v, 'r') then
                self.set_prev_vol = true
                remember_vol = true
            end
            if i == self.i then
                index = tonumber(iv[1])
                if iv[2] then
                    set_vol = true
                    vol = iv[2]
                end
            end
            list[i] = self:get(tonumber(iv[1]))
        end
        if remember_vol then
            self.prev_mute = get('mute')
            self.prev_vol = get('volume')
        end
        self.valid = true
        self:set(index)
        if set_vol then
            mp.command('no-osd set mute no')
            mp.command('no-osd set volume '..vol)
        elseif self.set_prev_vol then
            mp.command('no-osd set mute '..(self.prev_mute and 'yes' or 'no'))
            mp.command('no-osd set volume '..self.prev_vol)
            self.set_prev_vol = false
        end
        self:list(list, false, 2)
    end,
    msg_handler = function(self, cmd, ...)
        if cmd == 'list' then
            self.osd = true
            self:list(self:get(), true, 4)
        elseif cmd == 'cycle' then
            local args = {...}
            if args[1] == 'no-osd' then
                table.remove(args, 1)
                self.osd = false
            else
                self.osd = true
            end
            self:cycle(args)
        end
    end
}

fps = {
    interval = 0.5,
    fps = 0,
    prev_time = 0,
    prev_pos = 0,
    prev_drops = 0,
    prev_vop_dur = 0,
    vop_dur = 0,
    frames = 0,
    tick = function(self)
        local vop = get('vo-passes') or {fresh = {}}
        for _, v in ipairs(vop.fresh) do
            self.vop_dur = self.vop_dur + v.last
        end
        if self.vop_dur ~= self.prev_vop_dur then self.frames = self.frames + 1 end
        self.prev_vop_dur = self.vop_dur
        self.vop_dur = 0
        local fps = get('e_fps')
        local t_delta = mp.get_time() - self.prev_time
        if not fps or t_delta < self.interval then return end
        local spd = get('speed')
        local pos_delta = math.abs((get('pos') or 0) - (self.prev_pos or 0))
        local drops = (get('drops') or 0) - (self.prev_drops or 0)
        local mult = self.interval / t_delta
        local function hot_mess(speed)
            if drops > 0 and self.frames * mult < fps * speed / math.max(fps / 30, 1) * self.interval * 0.95 then
                self.fps = round(self.frames * mult, 2)
            else
                self.fps = fps * spd
            end
        end
        if spd > 1 then
            if drops > 0 and (pos_delta * mult > 2 or pos_delta * mult / self.interval > spd * 0.95 and self.frames * mult > 18 * self.interval) then
                self.fps = round(fps * pos_delta * mult / self.interval, 2)
            else
                hot_mess(1)
            end
        else
            hot_mess(spd)
        end
        self.prev_time = mp.get_time()
        self.prev_pos = get('pos')
        self.prev_drops = get('drops')
        self.frames = 0
    end
}

osd = {
    default_msg = nil,
    msg = '',
    show = false,
    toggled = false,
    osd_timer = mp.add_timeout(1e8, function() mp.set_property('osd-msg1', '') end),
    msg_timer = mp.add_timeout(1e8, function() osd.msg = osd.default_msg() end),
    set = function(self, msg, duration)
        if msg or not self.toggled or (self.toggled and self.osd_timer.timeout ~= 1e8) then
            self.osd_timer:kill()
            self.osd_timer.timeout = self.toggled and 1e8 or duration
            self.osd_timer:resume()
            mp.set_property('osd-level', 1)
        end
        if msg then
            self.msg = msg
            self.msg_timer:kill()
            self.msg_timer.timeout = duration
            self.msg_timer:resume()
            mp.add_timeout(0.1, function() mp.set_property('osd-msg1', self.msg) end)
        elseif not self.msg_timer:is_enabled() then
            self.msg = self.default_msg()
            mp.set_property('osd-msg1', self.msg)
        else
            mp.set_property('osd-msg1', self.msg)
        end
    end,
    toggle = function(self)
        self.toggled = not self.toggled
        self.show = self.toggled
        self:set(nil, 0)
    end
}

fullscreen = {
    prev_time = 0,
    clicks = 0,
    x = 0,
    click = function(self)
        if mp.get_time() - self.prev_time > 0.3 then self.clicks = 0 end
        if self.clicks == 1 and mp.get_time() - self.prev_time < 0.3 and math.abs(mp.get_mouse_pos() - self.x) < 5 then
            self.clicks = 2
        else
            self.x = mp.get_mouse_pos()
            self.clicks = 1
        end
        self.prev_time = mp.get_time()
    end,
    cycle = function(self, e)
        if self.clicks == 2 and mp.get_time() - self.prev_time < 0.3 then
            if (e == 'down' and get('fs')) or (e == 'up' and not get('fs')) then
                mp.command('cycle fullscreen')
                self.clicks = 0
            end
        end
    end,
    key_handler = function(self, e)
        if e.key_name == 'MBTN_LEFT_DBL' then
            osd:set('Bind to MBTN_LEFT. Not MBTN_LEFT_DBL.', 4)
        elseif e.event == 'press' then
            osd:set('Received a key press event.\n'
                ..'Key down/up events are required.\n'
                ..'Make sure nothing else is bound to the key.', 4)
        elseif e.event == 'down' then
            self:click()
            self:cycle(e.event)
        elseif e.event == 'up' then
            self:cycle(e.event)
        end
    end
}

step = {
    e_msg = false,
    direction = nil,
    prev_hwdec = nil,
    dir_frame = 0,
    paused = false,
    muted = false,
    prev_speed = 1,
    prev_pos = 0,
    play_speed = 1,
    stepped = false,
    played = false,
    delay_timer = mp.add_timeout(1e8, function() step:play() end),
    hwdec_timer = mp.add_periodic_timer(1 / 60, function()
        if get('play-dir') == 'forward' and not get('pause') and get('frame') ~= step.dir_frame then
            mp.command('no-osd set hwdec '..step.prev_hwdec)
            step.hwdec_timer:kill()
            step.prev_hwdec = nil
        end
    end),
    play = function(self)
        self.played = true
        if self.direction == 'backward' then mp.command('no-osd set hwdec no') end
        mp.command('no-osd set play-dir '..self.direction)
        mp.command('no-osd set speed '..self.play_speed)
        if o.step_mute == 'auto' and not self.muted then mp.command('no-osd set mute no')
        elseif o.step_mute == 'hold' then mp.command('no-osd set mute yes') end
        mp.commandv('seek', 0, 'relative+exact')
        mp.command('set pause no')
    end,
    start = function(self, dir, htp)
        self.direction = dir
        self.prev_hwdec = self.prev_hwdec or get('hwdec')
        self.paused = get('pause')
        self.muted = get('mute')
        self.prev_speed = get('speed')
        self.prev_pos = get('pos')
        if o.show_info == 'yes' then osd.show = true end
        if htp then
            self.play_speed = o.htp_speed
            self:play()
        else
            self.play_speed = o.step_rate == 0 and 1 or o.step_rate / get('fps')
            self.delay_timer:resume()
            mp.command('set pause yes')
            if dir == 'forward' and o.step_method == 'step' then
                if o.step_mute ~= 'no' then mp.command('no-osd set mute yes') end
                mp.command('frame-step')
                self.stepped = true
            elseif dir == 'backward' or get('time-pos') < get('duration') then
                mp.commandv('seek', (dir == 'forward' and 1 or -1) / get('fps'), 'relative+exact')
            end
        end
    end,
    stop = function(self, dir, htp)
        self.delay_timer:kill()
        if dir == 'backward' and get('frame') > 0 and not self.played and get('pos') == self.prev_pos then
            mp.command('frame-back-step')
            print('Backward seek failed. Reverted to backstep.')
        end
        if not htp or o.htp_keep_dir == 'no' then mp.command('no-osd set play-dir forward') end
        mp.command('no-osd set speed '..self.prev_speed)
        if not self.muted then mp.command('no-osd set mute no') end
        mp.command('set pause yes')
        if self.played then mp.commandv('seek', 0, 'relative+exact') end
        if htp and not self.paused and not (media.playback.eof and get('keep-open-pause')) then mp.command('set pause no') end
        self.played = false
        if not osd.toggled then osd.show = false end
    end,
    on_press = function(self, dir, htp)
        local msg = 'Received a key press event.\n'
            ..(htp and 'Key down/up events are required.\n'
            or 'Only single frame steps will work.\n')
            ..'Make sure nothing else is bound to the key.'
        if htp then
            osd:set(msg, 4)
            return
        else
            if not self.e_msg then
                print(msg)
                self.e_msg = true
            end
            self:start(dir, false)
            mp.add_timeout(0.1, function() self:stop(dir, false) end)
        end
    end,
    key_handler = function(self, e, dir, htp)
        if media.type ~= 'video' then return
        elseif e.event == 'press' then self:on_press(dir, htp)
        elseif e.event == 'down' then self:start(dir, htp)
        elseif e.event == 'up' then self:stop(dir, htp) end
    end
}

init()

mp.register_script_message('list-audio-devices', function() audio:msg_handler('list') end)
mp.register_script_message('set-audio-device', function(...) audio:msg_handler('cycle', ...) end)
mp.register_script_message('cycle-audio-devices', function(...) audio:msg_handler('cycle', ...) end)
mp.add_key_binding(nil, 'toggle-info', function() osd:toggle() end)
mp.add_key_binding(nil, 'cycle-pause', function() media.playback:pause() end)
mp.add_key_binding(nil, 'cycle-fullscreen', function(e) fullscreen:key_handler(e) end, {complex = true})
mp.add_key_binding(nil, 'step', function(e) step:key_handler(e, 'forward') end, {complex = true})
mp.add_key_binding(nil, 'step-back', function(e) step:key_handler(e, 'backward') end, {complex = true})
mp.add_key_binding(nil, 'htp', function(e) step:key_handler(e, 'forward', true) end, {complex = true})
mp.add_key_binding(nil, 'htp-back', function(e) step:key_handler(e, 'backward', true) end, {complex = true})

Для многих неочевидна важность корректной идентификации себя при электронном общении. Однако, пренебрежение определенными правилами, может создать существенные неудобства собеседнику.

Описанное ниже не касается формализованных правил этикета, а лишь описывает распространенные проблемы которые создает небрежное отношение к самоидентификации в интернете.

С уважением, Александр

На скриншоте выше показана распространенная проблема, с которой приходится сталкиваться при деловом общении.
Глупо думать, что вы единственный «Александр» с которым знаком ваш собеседник. А если собеседник общается по работе с большим числом людей, совершенно точно через день-два ему будет очень сложно вспомнить, что он общался именно с вами, а уж тем более найти вас в контакт-листе. Поэтому приходится просматривать лог переписки с каждым Александром чтобы отыскать в нем нужного.

Короткое видео о важности фамилии:

Если же вы представляете компанию, и используете IM-клиент только для делового общения, уместно дописать название компании после имени. Например вместо «Вася» лучше написать «Василий Шишкин (webstudio.ru)»

И даже если вы не представляете никакую компанию, и среди друзей вы известны как просто Вася, представьте сколько еще Василиев может быть в контакт-листе ваших друзей, и потрудитесь дописать если уж не фамилию, то хотя бы уникальный псевдоним ее заменяющий.
Например «Вася Крутой» или «Вася Молодец», чтобы не потеряться среди десятка других Вась в контакт-листе.

В результате, из-за невнимательного отношения к заполнению своих профилей, вы вынуждаете собеседников редактировать ваш профиль самостоятельно. Переименовывать вас из «Вася» в «Вася веб-дизайн», дописывать в профиле Skype мобильный телефон и так далее.

Список рекомендаций подписи в любых мессенджерах:

• Никогда не подписывайтесь только именем. Указывайте фамилию или псевдоним вместо фамилии
• Указывая только псевдоним без имени, выбирайте легко запоминающийся и достаточно уникальный. Например Black — плохой псевдоним, Fedor Lobster — хороший псевдоним.
• Никаких посторонних символов, смайликов, скобочек, звездочек. Типа "*Светочка)))*", "--<<==SuperNagibator==>>--". Даже в начальных классах школы это делать стыдно
• Если вы представляете компанию и с этого аккаунта общаетесь только о работе, можно вписать название компании после имени
• Заполняйте vcard. Указывайте в профиле сайт компании, рабочий телефон. Если это Skype, то указывайте в профиле личный телефон. Находясь заграницей очень удобно звонить на мобильный из скайпа без необходимости переписывать его вручную
• Выбирайте осмысленные и строгие логины. Вам в любом случае придется их диктовать на слух. Вместо leno4ka222, kjaaaxi, siooaoa7 лучше предпочесть elenazaeitseva, k.antonov, ivanov.max
• Не меняйте имя в профиле. Выбрав единожды корректное имя, не изменяйте его никогда. Очень раздражает, когда не удается найти в контакт-листе Адрея Зайцева который вдруг стал «Андрюшка Зайчик»

Общедоступные публикации

Ко мне часто обращаются знакомые, не имеющие аккаунта на Хабре, с просьбой спросить что-либо у автора статьи. Потому как прокомментировать статью они не могут, а автор не оставил никаких контактных данных в профиле. Ладно еще если его логин можно нагуглить и найти одноименный вконтакт или фейсбук. Но бывает, что это невозможно.

Бывет, возникает экзотический вопрос, вроде «Какой тип разъема в этой недокументированной китайской микросхеме контроллера фильтра обратного осмоса?». И в результате гугления находишь богом забытый форум, где сидят полтора человека и один из них как раз обладатель этой редкой микросхемы и все про нее знает.
А в профиле у него:

И скорее обычно что-то вроде «Был на сайте: 8 месяцев назад».

Поэтому, если вы публикуете в интернете что угодно, что может хоть кого-то заинтересовать, пускай даже это кажется вам малопопулярным и не интересным, или вы просто ведете блог для себя, снимаете видеоролики, делитесь опытом на форуме, потрудитесь, чтобы при необходимости с вами можно было связаться общедоступными способами. Избавьте человека от необходимости регистрироваться на youtube, форуме, живом журнале, твиттере чтобы просто написать вам. Указывайте в общедоступном месте контактные данные.

• Занимаясь публичной деятельностью — предоставьте возможность обсудить это с вами. Например, включите анонимные комментарии и
• Указывайте в общедоступных местах актуальные средства связи. Помните, что вы можете перестать посещать форумы/жж и не прочитать личные сообщения отправленные через эти сервисы.

Эта статья на хабре https://habr.com/ru/post/208622/

Оказывается, в чате скайпа работают некоторые HTML-теги, в том числе и <font color="">
Благодаря этому возможно создавать несложные картинки в тексте сообщений.

Список поддерживаемых в скайпе тегов www.wikireality.ru/wiki/HTML_в_Скайпе
Для того чтобы оправить HTML-код в чате нужно зажать CTRL+SHIFT и кликнуть на кнопку отправки сообщения.

Код картинки pastebin.com/raw.php?i=z4EspzjC

Ниже показан пример генерации HTML-кода из изображения на PHP.

$imgw = imagesx($img);
$imgh = imagesy($img);
$ratio = $imgw/$imgh;
$newh = floor(sqrt(800 / $ratio));
$neww = floor($ratio * $newh);

$newimg = imagecreatetruecolor($neww, $newh);
imagecopyresampled($newimg, $img, 0, 0, 0, 0, $neww, $newh, $imgw, $imgh);
imagedestroy($img);
$out = '<font size="1"><u>';
for($j = 0; $j < $newh; $j++) {
	for ($i = 0; $i < $neww; $i++) {
		$color = imagecolorat($newimg, $i, $j);
		$out .= '<font color="#'.strtoupper(dechex($color)).'">███</font>';
	}
	$out .= "\n";
}
$out .= '</u></font>';
echo $out;

Код достаточно примитивный, потому как обрабатывается каждый пиксель, даже если подряд идут несколько пикселей одного цвета. Если оптимизировать код, таким образом, чтобы генерировать более компактный HTML, возможно создавать картинки более высокого разрешения. Всё упирается в максимальный размер сообщения в skype — 29,999 символов (символ █ считается за три обычных).

Внимание, при большом количестве таких картинок skype начинает сильно тормозить, спасает только очистка истории. Поэтому лучше удалять сообщение с картинкой.

Работает только в Windows версии.

Попробовать можно тут img4skype.com

P.S. Будем рады если кто-то сможет оптимизировать код для генерации картинок бОльшего разрешения.

UPD: sergey_dobrodey Написал версию на .NET с возможностью создавать картинки 40х40 пикселей но с инвертированием цветов github.com/sergeydobrodey/SkypeImage

UPD: aruz Написал реализацию на .NET генерирующую оптимизированный HTML-код с возможностью регулировать конечный размер и возможностью уменьшение количества цветов github.com/aruz/img4skype
Это позволило создавать огромные картинки (первая сгенерирована моим алгоритмом)

UPD: В новой версии скайпа 5.8.0.154 больше нет возможности отправлять HTML. Но при этом код отправленный с версии младше, отображается в новой версии нормально. Для отправки кода нужна версия ≤5.7

Статья на хабре https://habr.com/ru/post/136395/

На видео показан практический способ угона сессии PPPoE с помощью врезки в кабель. При этом не происходит перехвата логина или пароля и не имеет значения используемый тип авторизации (CHAP/PAP).

Большинство ethernet-провайдеров, к сожалению не используют шифрование всей сессии, ограничиваясь только шифрованием этапа авторизации. Это позволяет представиться легитимным клиентом, перехватив реквизиты существующего подключения.

Теория

PPPoE (Point-to-Point Protocol over Ethernet) — протокол канального уровня, на уровень ниже ip, поэтому для установки соединения не требуется ip-адреса, адресация происходит по MAC-ам.

Условно процесс подключение выглядит так:

Клиент в поисках pppoe-сервера посылает широковещательный запрос,
MAC-адрес назначения FF:FF:FF:FF:FF:FF.
Сервер отвечает клиенту и происходит авторизация (например CHAP Challenge)

В установленном соединении сервер идентифицирует клиента по MAC-адресу и Session ID. Пакеты IP инкапсулируются внутрь кадров PPPoE. В незашифрованном подключении всё содержимое пакетов может быть просмотрено:

Соответственно, узнав реквизиты подключения, можно перехватить сессию:

Для защиты от подобных атак существует опция CHAP Rechallenge, когда сервер повторно идентифицирует клиента с заданным интервалом времени. Ни один из протестированных провайдеров не использовал эту опцию.

В видео используется виртуальная машина, запущенная в режиме моста с ethernet картой хост-системы.
Во время переключения кабеля важно попасть между пакетами LCP-echo.
PPPoE-сервер www.roaringpenguin.com/products/pppoe перекомпилированный с опцией
#define DEFAULT_MAX_SESSIONS 64000

Спасибо kekekeks за помощь в ковырянии исходников сервера rp-pppoe.

Эта статья на хабре https://habr.com/ru/post/130710/

Трафик проходящий по витой паре может быть прослушан абсолютно незаметно для участников соединения.
В этом посте будет показано как изготовить автономный сниффер с возможностью сохранения дампа на диск и управляемый по Wi-Fi.

Теория

В сетях стандарта 10/100Base-T передача сигнала происходит по двум парам жил.
Tx — отправка
Rx — прием
Задача состоит в том, чтобы подключить прослушиваемую пару к принимающей паре сниффера.

Практика

Подойдет любой роутер на который можно установить прошивку DD-WRT (или OpenWRT) с возможностью подключения диска.
Список поддерживаемых моделей.

Например старый Linksys WRT-54GL.

В нем штатно нет возможности подключения флешек, но довольно просто можно впаять SD или MMC карту. Замечу только, что карту перед пайкой лучше отформатировать на компьютере в файловой системе ext2 и GPIO выставлять вручную как в этой инструкции. Я припаял контакты напрямую к карточке, но для сохранения возможности извлекать карту можно использовать гнездо от картридера или переходник microSD->SD

Прошивка DD-WRT — это миниатюрный Linux. Который при наличии свободно места на диске легко превращается в полнофункциональную систему с менеджером пакетов.

На роутерах с объемом памяти мене 32мб (как в моем случаи 16мб), ядро урезанно и процесс установки менеджера пакетов несколько отличается от такового в полных версиях прошивки с поддержкой jffs.

Далее подрозумевается, что роутер уже прошит (без поддержки jffs), карта памяти или USB-флешка уже установлена и смонитрованна в /mmc. Подключаемся telnet-ом, логин root, пароль установленный на веб-морду.

Создаем папку:

mkdir /mmc/opt

Монтируем ее на карту(эту команду необходимо добавить в стартовый скрипт через веб-интерфейс):

mount -o bind /mmc/opt /opt

Запускаем установщик ipkg-opt (нужен интернет):

cd /mmc 

wget http://www.3iii.dk/linux/optware/optware-install-ddwrt.sh

sh ./optware-install-ddwrt.sh

Установка займет несколько минут. Далее:

ipkg-opt install libuclibc++

Теперь менджер пакетов готов к работе. Обновить список пакетов: ipkg-opt update. Вывести список доступных пакетов: ipkg-opt list.
Для сбора трафика необходим tcpdump:

ipkg-opt install tcpdump

Слушающим портом будет WAN, в системе он eth0. Подсоединяем крокодильчики к интересующей паре (обычно Tx интересней) и запускаем дамп:

tcpdump -i eth0

В зависимости от схемы обжима, цвета пар могут быть разными. Определить нужную можно только экспериментально, по значению destination и source.
Крокодильчики лучше припаять к многожильному гибкому кабелю, иначе хрупкие жилы будут отламываться.

Запуск tcpdump можно так же добавить в стартовый скрипт системы для автоматического запуска после перезагрузок.
К роутерму можно подключаться по wi-fi и скачивать файлы например по sftp (нужно включить SSH в веб-интерфейсе).Теги:

Статья была изначально опубликована на Хабре https://habr.com/ru/post/90678/

Я использую OpenPGP карту на устройстве Yubikey Neo
И GPG для OS X из пакета GPGtools.org

Описанное ниже справедливо только для OpenPGP Card V2.0

Процедура представляет из себя посылку APDU команд карте с помощью gpg-connect-agent.
В маке он он находится в /usr/local/MacGPG2/bin/gpg-connect-agent

Перед началом нужно убедиться, что карта отвечает на APDU.

Запрос версии прошивки:

Возврат к заводскому состоянию:

# /usr/local/MacGPG2/bin/gpg-connect-agent -r ./openpgpcard_reset_apdu.scd

Содержимое файла openpgpcard_reset_apdu.scd:

/hex
scd reset
scd serialno undefined
scd apdu 00 A4 04 00 06 D2 76 00 01 24 01
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd reset
scd serialno undefined
scd apdu 00 A4 04 00 06 D2 76 00 01 24 01
scd apdu 00 44 00 00
/echo Card has been reset to factory defaults 
/bye

Карта после очистки:

$ gpg --card-status
Application ID ...: D3740021040118000002040210340000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 02961802
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

IKEv2 is a modern protocol developed by Microsoft and Cisco which was chosen as a default VPN type in OS X 10.11 (El Capitan) and Windows since 7. It supports strong encryption, auto reconnection on network change (MOBIKE), easy configuration and more.

This manual describes minimal IKEv2 server configuration for the most simple client setup based on username/password authentication.

No 3rd party software required on client side Only native OS tools used on client devices with Windows, MacOS, iOS.

No certificates importing on client Simple configuration. Just type login/passowrd and server address like any other VPN connection.

IKEv2 supported platforms

X.509 Certificates intro

In order to prevent man-in-the-middle attacks IPsec IKEv2 server always authenticates itself with an X.509 certificate using a strong RSA or ECDSA signature. After a secure communication channel has been established, clients authenticate themselves using the EAP-MSCHAPv2 protocol based on user name and password (or other authentication protocol). This means that client needs to verify X.509 certificate authenticity using CA in system keychan. Just as for HTTPS connections in a web browser. Server certificate must be valid for successful client authentication.

There are two ways of getting server certificate:

1. Use certificate issued by CA trusted by most operating systems. 2. Issue self-signed certificate and distribute your own CA to every clients’ system.

The First way makes connection setup much easier on client side because it does not require importing any certificates in the system. This way is recommended. Self-signed certificates are more complicated. Follow this way only if you know exactly what you need them for and how to manage your own PKI.

Issue certificate from one of Ceritifaces Authorities

Fortunately X.509 certificates that we used to deploy as SSL certificates for HTTPS web servers are also suitable for IKEv2. You can get free certificate from Wosign, StartSSL, or LetsEncrypt, or any of your favorite CA.

The only few requirements wich certificate must comply with:

• Have an Extended Key Usage (EKU) flag explicitly allowing the certificate to be used for authentication purposes. OID 1.3.6.1.5.5.7.3.1 (often called TLS server authentication) All certificated issued for web servers authenitcation have this flag.
• Subdomain wich will be used as IKEv2 server adress must be in Subject Alternative Name. Needed domain must be added as a additional domain, not as general one when issuing SSL certificate. I will use tunnel.zhovner.com as example.
• (Optional) If possible choose SHA-256 instead of SHA-1 signature algorithm, because SHA-1 is weak and deprecated.

Selfsigned certificates

Selfsigned certificates requires to deploy complete PKI. Issue your own Root Certificate Authority (CA), destribute this CA to all clients systems, issue server certificate, manage CLR (Certificate Revocation List) and OCSP. This subject is very complicated and goes out this manual, so I won’t describe it here. In most cases you don’t need selfsigned certificates. It is required only if you are planning to use client certificate authentication (without username/password). If you decided to use selfsigned certificates, take a look at EasyRSA fork than allows to issue certificates suitable both for OpenVPN and IKEv2 and simplifies PKI management.

Server configuration

strongSwan - powerfull and open source IPsec/IKEv2 server and client solution. You will need any Linux box with 2.6 or 3.x kernel to run strongSwan server. Check that your favorite distro have strongSwan ≥ 5.x package in repo. If you run Linux in virtual container, make sure that you have XEN or KVM virtualization but not OpenVZ, because OpenVZ not supporting kernel IPsec.

I recommend Linode as VPS hosting bacause they provide additional /64 IPv6 routable subnet that easely can be assigned to IPsec clients.

In this example I will use Debian 8.2 jessie as most common distro. Make sure that your stongSwan package not older than 5.2.1-6+deb8u2

Installing strongSwan and extra plugins:

apt-get install strongswan libcharon-extra-plugins

On this step you must have all necessary certificates and key files.

List of required files:

privatekey.pem — RSA private key which was used for CSR when issuing certificate. Key must be non-encrypted.

CA.crt — Root Certificate of your Certificate Authority. It can be downloaded from web or exported from system keychain.

intermediate1.crt — intermediate certificate of your Certificate Authority. If you get certificate from WoSign look at for Other Server.zip archive.

intermediate2.crt — (optional) Number of intermediate certificates may be varied, depending on your CA.

my.crt — your certificate. In the example this file will be named tunnel.zhovner.com.crt

How this chain looks from Google Chrome certificate information

Place each file to the proper path:

/etc/ipsec.d/private/privatekey.pem
/etc/ipsec.d/cacerts/ca.crt
/etc/ipsec.d/cacerts/intermediate1.crt
/etc/ipsec.d/cacerts/intermediate2.crt
/etc/ipsec.d/certs/tunnel.zhovner.com.crt

Edit /etc/ipsec.secrets that contains users and private keys credentionals:

Edit /etc/ipsec.conf:

Restart strongSwan to read new config files:

systemctl restart strongswan

Verify that all cerifitaces configured correctly by executing ipsec listall Notice that output is very long and must be readed from the top. Full certificates chain must be presented and Entity Certificate must contain “has private key”.

List of X.509 End Entity Certificates:

  altNames:  zhovner.com, www.zhovner.com, hub.zhovner.com, tunnel.zhovner.com, ....
  subject:  "CN=zhovner.com"
  issuer:   "C=CN, O=WoSign CA Limited, CN=CA CA 沃通免费SSL证书 G2"
  serial:    11:eb:85:14:5b:e2:56:96:0d:b4:fe:f2:4a:88:48:21
  validity:  not before Apr 22 17:19:27 2015, ok
             not after  Apr 22 18:19:27 2018, ok
  pubkey:    RSA 2048 bits,

<font color="red"><b>has private key</b></font>
  keyid:     0a:c6:c8:96:59:73:2c:6c:6f:7d:03:d0:35:da:e8:49:db:86:6e:fb
  subjkey:   f8:b0:bb:e9:9b:2c:8c:a2:90:b2:c0:77:b5:2b:c1:1f:d0:98:7e:d7
  authkey:   30:da:74:86:f3:28:90:56:9e:d7:31:31:c2:bd:59:cd:93:12:39:1d

List of X.509 CA Certificates:

  subject:  "C=CN, O=WoSign CA Limited, CN=CA 沃通免费SSL证书 G2"
  issuer:   "C=CN, O=WoSign CA Limited, CN=CA 沃通根证书"
  serial:    01:58:8c:3a:35:07:b3:f8:97:23:1c:76:b7:ef:85:dd
  validity:  not before Nov 08 03:58:58 2014, ok
             not after  Nov 08 03:58:58 2029, ok
  pubkey:    RSA 2048 bits
  keyid:     7b:07:23:98:e4:9f:25:2f:19:3f:76:4d:cd:0f:70:f6:4b:fc:b0:e6
  subjkey:   30:da:74:86:f3:28:90:56:9e:d7:31:31:c2:bd:59:cd:93:12:39:1d
  authkey:   e0:4d:bf:dc:9b:41:5d:13:e8:64:f0:a7:e9:15:a4:e1:81:c1:ba:31
  pathlen:   0

  subject:  "C=CN, O=WoSign CA Limited, CN=CA 沃通根证书"
  issuer:   "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  serial:    1f:ce:a7:f6:a9:7f:e9
  validity:  not before Sep 18 02:46:36 2006, ok
             not after  Jan 01 02:59:59 2020, ok
  pubkey:    RSA 4096 bits
  keyid:     c2:06:fb:d5:3b:ba:0c:ee:f2:d2:d2:45:3d:07:52:26:3a:9f:e7:5f
  subjkey:   e0:4d:bf:dc:9b:41:5d:13:e8:64:f0:a7:e9:15:a4:e1:81:c1:ba:31
  authkey:   4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
  pathlen:   2

  subject:  "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  issuer:   "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  serial:    01
  validity:  not before Sep 17 23:46:36 2006, ok
             not after  Sep 17 22:46:36 2036, ok
  pubkey:    RSA 4096 bits
  keyid:     23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0
  subjkey:   4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2

That’s all. If everything looks right try connect to server. For debbuging connection problems run live logs stream journalctl -f -u strongswan

NAT

For let out VPN clients into Internet you need configure NAT. This subject is not covered in this manual.

For testing porpose (insecure):

echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

IPv6 issues

It is possible to assign native IPv6 addresses as well as IPv4 to VPN clients. For this you will need additional IPv6 subnet routed to you machine but not assigned on server interface. Unfortunately from lots of VPS providers that I’ve used, only Linode provide additional /64 IPv6 subnet for free.

For DigitalOcean and others providers you will need setup NDP proxy. Related thread https://lists.strongswan.org/pipermail/users/2015-July/008365.html

Client configuration

macOS >10.11 and iOS 9 autconfiguration profile

A configuration profile is an XML file that allows you to distribute configuration information. If you need to configure a large number of devices or to provide lots of custom email settings, VPN profiles, network settings, or certificates to a large number of devices, configuration profiles are an easy way to do it. In our case we will use VPN payload for one click configuration. For IKEv2 VPN connections the configuration profile is the only way to set advanced options like ciphers, DH groups, PFS, rekey timeout and so on. More about it https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

Configuration profile can be created manually or via Apple Configurator 2 utility. Syntax is same for OS X and iOS. Profile can be distributed as mail attachments or via http link. Profile name must end with .mobileconfig and if you plan to share it over HTTP web server should response with Content-Type application/octet-stream.

Always On Mode

In Apple terms “Always On” mode prevents user from disconnect VPN manually. This mode can be configured only on device that in supervision mode. But you can do the same without supervision mode in more flexible way by usign rule that connects VPN automatically every time when you have internet connection. And reconnect it when connection lost. “On demand” mode can be configured only via .mobileconfig profile.

This mode can cause a problems when you can’t connect to the VPN server, becuase it will block internet access without VPN connection. To disable Always On mode unchek On Demand options in VPN connection preferences.

Debug log in macOS

If your connection doesn’t work in macOS, it silently disconnect without any error code. Debug log can be viewed in system utility Console.app. Type networkextension in search and try to connect.

To increase verbosity: sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogLevel 6 Back to default: sudo defaults write /Library/Preferences/com.apple.networkextension.control.plist LogLevel 5

Also read this: https://forums.developer.apple.com/thread/31375

Autoconfig profile template

The easiest way to get working profile is to edit 4 variables in this template: RemoteAddress, RemoteIdentifier, AuthName, AuthPassword. Edit the rest of template following comments. Example profile of our VPN server supervpn.mobileconfig:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IKEv2</key>
            <dict>

                <!-- Username and password from ipsec.secrets -->
                <key>AuthName</key>
                <string>obama</string>
                <key>AuthPassword</key>
                <string>SuperPassword123</string>

                <!-- Hostname or IP address of VPN server.
                 Chosing IP address instead of DNS name can avoid issues with client DNS resolvers and speed up connection process. -->
                <key>RemoteAddress</key>
                <string>43.12.22.134</string>

                <!-- leftid in ipsec.conf -->
                <key>RemoteIdentifier</key>
                <string>tunnel.zhovner.com</string>

                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ChildSecurityAssociationParameters</key>
                <dict>

                <!-- in ipsec.conf this proposal is: ike=aes256-sha256-modp2048 -->
                    <key>DiffieHellmanGroup</key>
                    <integer>14</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-256</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>
                <key>DeadPeerDetectionRate</key>

                <!--
                    None (Disable)
                    Low (keepalive sent every 30 minutes)
                    Medium (keepalive sent every 10 minutes)
                    High (keepalive sent every 1 minute)
                -->
                <string>High</string>
                <key>ExtendedAuthEnabled</key>
                <true/>
                <key>IKESecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
                    <integer>14</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-256</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>

                <!--
                Always On OnDemand Rule
                Cen be disabled in connection preferences by "On Demand" checkbox
                http://www.v2ex.com/t/137653
                https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
                https://github.com/iphoting/ovpnmcgen.rb
                -->
                <key>OnDemandEnabled</key>
                    <integer>1</integer>
                    <key>OnDemandRules</key>
                    <array>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                        </dict>
                    </array>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <string>VPN</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.vpn.managed.96C1C38F-D4D6-472E-BA90-9117ED8896B5</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>96C1C38F-D4D6-472E-BA90-9117ED8896B5</string>
            <key>PayloadVersion</key>
            <integer>1</integer>

            <!-- VPN connection name in Network Preferences -->
            <key>UserDefinedName</key>
            <string>London VPN</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
    </array>

    <!-- Set the name to whatever you like, it is used in the profile list on the device -->
    <key>PayloadDisplayName</key>
    <string>My Super IKEv2 VPN</string>

    <!-- A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added. -->
    <key>PayloadIdentifier</key>
    <string>com.zhovner.tunnel</string>

    <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
    <key>PayloadUUID</key>
    <string>F3FAD91C-019C-4A79-87A1-CF334C583339</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

iOS manual configuration

OS X 10.11 manual configuration

It’s impossible to set advanced options (like ciphers, DH groups, PFS, rekey timeout) via GUI. If you need it use configuration profile method.

1. Create new VPN connection in network preferences
2. Choose type IKEv2 and name of connection
3. Set server address and RemoteID (leftid in ipsec.conf)
4. Enter username and password from ipsec.secrets file
5. Connect to VPN

Windows 7/8/10 IKEv2 manual configuration

In windows you can’t define RemoteID separately from server address, so FQDN should be used. Also keep in mind that IPv6 will not work in windows.

Linux roadwarrior client

This also works on MacOS/FreeBSD

Install strongswan

Configure CA’s

Openssl and ca-certs must be installed.

rmdir /etc/ipsec.d/cacerts
ln -s /etc/ssl/certs /etc/ipsec.d/cacerts

Setup config /etc/ipsec.conf

conn my-super-vpn

    keyexchange=ikev2
    #forceencaps=yes
    dpdaction = restart
    dpddelay = 30s
    keyingtries=%forever

    # start at boot
    auto=start

    rekey=no
    reauth=no
    fragmentation=yes
    #compress=yes

    # left - local  side
    left=%any
    eap_identity=x220
    leftsourceip=%any,%any6
    leftauth=eap-mschapv2

    # right - remote side
    right=q.zhovner.com
    rightsubnet=0.0.0.0/0,::/0

Connect to server

ipsec restart

In a nutshell: they don’t

This post describes my fruitless effort to convince Microsoft employees that their service is vulnerable, and the humiliation one has to go through should one’s account be blocked by a hacker. This is a story of ignorance, pain and despair.

TL;DR

• Anyone can block your account permanently and you can’t do anything about it. The only thing that a hacker needs to know is your Skype login. In most cases Skype support will refuse to unblock your account. Microsoft has known about the problem for years.
• 8-digit authentication code (Microsoft Security Code) generation algorithm is vulnerable. These codes are used for password restore, and the hacker can just guess the code without an access to your email account.
• Skype tech support is vulnerable to social engineering, and Microsoft is perfectly OK with that.
• Skype tech support doesn’t even know what’s going on with your account and why it has been blocked in the first place. Regardless of the reason you’ll get a standard response that your account was blocked for “violating the terms and conditions” even if it was you who clicked “Block account” button in the web interface.
• Skype still discloses your public and private IP addresses (the one that’s on the local interface, behind NAT). In some cases it’s possible to obtain other Skype IDs that are using the same network (e. g. your family members using the same Wi-Fi)
• A hacker can hide an active Skype session from the session list (which is available via /showplaces command) using old SDK versions. This allows to stealthily read your messages if one has managed to obtain your password.

About me

I’ve been using Skype for 10 years. I used to be a Skype fanboy. When jira.skype.com (Skype’s public bug tracker) was still available, I’ve been trying to improve Skype and reporting bugs.

For instance, there was SCW-2778 Remote DoS exploit. This vulnerability allowed an adversary to crash a desktop version of Skype, and break the local history so that the user had to clear it for Skype to work. Another example is SCW-3328 which allowed to remotely turn on your muted microphone during a call.

Even at that time, I was worried by Skype’s approach to fixing bugs. I had to literally beg the developers to fix a problem that was there for years.

I was using all Skype’s products, developer instruments (Skype4COM, SkypeKit), premium subscriptions, Skype For Business. I have created bots, a custom emoticon generation service, etc.

But today I sincerely hate Skype. It’s a horrible service drowning in bureaucracy and ignorance of employees, that ignores real problems and adds 3D Emoticons™ as a major feature. Today Skype is not only insecure but hazardous to its users since security procedures are not only inefficient, they are working against them.

Chronology

Vulnerabilities that allow an adversary block an arbitrary Skype account are present for a few years. There is more than one, and some of them are actively exploited in the wild. Moreover, account blocking is provided as a service.

I used to post a lot about Skype vulnerabilities, and some victims of the exploits contacted me, after finding me on Google.

I have seen various Skype account blocking techniques. I have tried to help people restore access to their accounts and plead Skype to do something about it. Mostly the accounts were blocked via mass abuse reports. It is a well-known technique that’s been here for many years. It is so old it became a tool of children’ subculture for fighting against each other in Skype. But something outrageous has happened in the last year, which I absolutely have to speak about.

Technique 1 - mass abuse reports (classics)

A Skype account is blocked if sufficiently many abuse reports for this account are sent by other Skype members. Presumably, sufficiently many means more than 20. In order to send a report you don’t even need to add the target into contacts: it is possible to send a report from search results by clicking “Block —> report an abuse” Thus the victim may stay completely unaware of all the reports being sent about him/her.

This technique exists for many years. It’s been reported earlier, even kids know about it: they unite into groups for coordinated mass reporting.
There is a list of VK.com groups (Russian Facebook-alike social network) created for that purpose (obtained by a quick search):
vk.com/blockpidaramskype
vk.com/skype_delete
vk.com/blacklistskype
vk.com/blockskyp
vk.com/eds_snos
vk.com/club58649499
vk.com/club49404483

Similar groups exist within Skype itself. There is a specific subculture of abusers, mostly composed of 12- to 19-year-olds, uniting into clans. The main purpose of their actions is to hurt a randomly chosen victim as hard as possible.

The majority of attacks are conducted via verbal duels in group calls. The aim is to humiliate a person the more painfully the better and to record it on video.

Duel recordings (Warning: shouting and swearing in russian)

youtube.com/watch?v=F3mDFk5m_Hs
youtube.com/watch?v=cwNixaAML4I
youtube.com/watch?v=zWhCcqTnjxw
youtube.com/watch?v=4vhy-J-kQtk (Skype account blocked at the end)

Some clans of these abusers publish their own software designed for the malicious activity of mass abuse reporting.

Here is a video demonstrating such software in work. It is a kind of a botnet resulting in contact list voluntarily sending reports for selected accounts. Remember that it is not necessary to add a victim into your own contact list, which means that you can be reported by a hundred of school kids you never talked to, and you’ll never know.

I personally know ≈10 victims whose accounts were blocked this way. But all attempts to recover their accounts via Skype support result in a generic reply:

I understand that your Skype account was blocked. I apologize for any inconvenience that this may have caused, but I will be more than happy to look into this for you.Our automatic systems detected that activities which are contrary to Skype’s Terms and Conditions have taken place via your Skype account. As a result, your account has been restricted and will remain restricted until further notice.

Do you think this vulnerability is fixed by now? Of course it’s not.

Blocking through tech support

In fall, 2015, I started receiving messages from people that suffered from a new type of attack.

This time, before account is blocked, victim received e-mails from Microsoft, containing 8-number code. The letters were sent from verifyme@microsoft.com and had valid DKIM signature, which meant there were sent by Microsoft itself.

During our own investigation with my friends, we were able to spot the attacker. His announcements were everywhere at forums for young script kiddies.

Here’s his info:

• ICQ: 676061500
• Skype: alaaasddsa1.as
• Jabber: block_service@xmpp.jp

And one of his announcement:

In order to check account blocking process, I ordered complete disposal of my test account.
For integrity testing, I did the following:

• The account has been registered to the fresh e-mail account, which was not linked to the account itself. There was not even slightest possibility to guess or find this e-mail account in public sources.
• The password was strong, a combination of numbers and letters of different case.
• Only trusted accounts were added to contact list.
• Account did not participate in any conference and practically wasn’t used for messaging or calls.

Throughout the blocking process, I’ve been monitoring the e-mail account and kept desktop Skype client authorized.

In several hours after payment, I started receiving letters with Microsoft Security Code, just as on screenshots above.

I received total of 24 letters in 10 hours. Leaping ahead, let me tell you that attacker successfully guessed the confirmation code.

Here are all secret codes that I received in time of attack, with timestamps. As we see here, sending was performed with short bursts in few minutes.

Microsoft Support Code: 41917837 Fri, 26 Feb 2016 04:25:54 -0800 (PST)  
Microsoft Support Code: 14793784 Fri, 26 Feb 2016 04:27:32 -0800 (PST)  
Microsoft Support Code: 58837293 Sat, 27 Feb 2016 03:29:18 -0800 (PST)  
Microsoft Support Code: 68871688 Sat, 27 Feb 2016 03:29:33 -0800 (PST)  
Microsoft Support Code: 38424446 Sat, 27 Feb 2016 03:30:33 -0800 (PST)  
Microsoft Support Code: 25068066 Sat, 27 Feb 2016 03:35:39 -0800 (PST)  
Microsoft Support Code: 27311897 Sat, 27 Feb 2016 03:58:58 -0800 (PST)  
Microsoft Support Code: 93194445 Sat, 27 Feb 2016 04:02:43 -0800 (PST)  
Microsoft Support Code: 32506812 Sat, 27 Feb 2016 04:03:36 -0800 (PST)  
Microsoft Support Code: 33627494 Sat, 27 Feb 2016 04:05:40 -0800 (PST)  
Microsoft Support Code: 98350414 Sat, 27 Feb 2016 09:00:03 -0800 (PST)  
Microsoft Support Code: 12437217 Sat, 27 Feb 2016 11:41:04 -0800 (PST)  
Microsoft Support Code: 42078695 Sat, 27 Feb 2016 11:42:45 -0800 (PST)  
Microsoft Support Code: 41321028 Sat, 27 Feb 2016 11:43:09 -0800 (PST)  
Microsoft Support Code: 44964659 Sat, 27 Feb 2016 11:43:19 -0800 (PST)  
Microsoft Support Code: 90692933 Sat, 27 Feb 2016 12:50:21 -0800 (PST)  
Microsoft Support Code: 23696204 Sat, 27 Feb 2016 12:55:18 -0800 (PST)  
Microsoft Support Code: 60212551 Sat, 27 Feb 2016 12:55:25 -0800 (PST)  
Microsoft Support Code: 81725942 Sat, 27 Feb 2016 12:58:04 -0800 (PST)  
Microsoft Support Code: 29172590 Sat, 27 Feb 2016 14:26:54 -0800 (PST)  
Microsoft Support Code: 28091548 Sat, 27 Feb 2016 14:30:38 -0800 (PST)  
Microsoft Support Code: 55969586 Sat, 27 Feb 2016 14:54:21 -0800 (PST)  
Microsoft Support Code: 12424717 Sat, 27 Feb 2016 14:57:59 -0800 (PST)  
Microsoft Support Code: 36300450 Sat, 27 Feb 2016 14:58:16 -0800 (PST)  

After e-mails stopped, the private information (such as name, surname, sex) disappeared from account profile. The login was only one that remained. My main e-mail account on skype.com website changed to deleted@skype.com. I was disconnected from desktop client.

We had the following info at that time:

• The attacker didn’t know the real e-mail address of account. Taking last attacks with known e-mail address into consideration, we thought the same method would be used.
• Bruteforce is no-go as the password used was strong.
• There were no authorization requests from unknown contacts. There also was no activity in Skype client. The attacker has never been in contact with the victim.

We couldn’t understand the process of deleting the account. We couldn’t find the form that would generate the e-mails with Microsoft Security Code. So the best option we had is to get some information from the hacker. I and my friends continued to order attacks for test accounts and in one moment, the hacker sent us the screenshot as the confirmation that account has been deleted successfully. On this screenshot, the tech support confirms this information:

That was Live Chat Support form that can be accessed only by accounts with subscription. You can find it on skype.com website, going through troubleshooting master few times. If you always choose “problem is not solved” option, the last step would give you a confirmation window with live chat prompt.

The chat is opened from https://sales.liveperson.net, a side domain. The information on the website states that this is side company, which offers tech support for your product.

In conclusion, the attack process through live chat support seemed to be like the following:

1. Attacker asks tech support to “delete my account <accountname> because I made a new one.”
2. The tech support operator asks to confirm the rights to an account by telling the code that was sent to e-mail address which is connected to account. The operator doesn’t mention the e-mail account itself but waits for the right code.
3. Operator receives the right code and account is deleted. Also, operator agrees to send code few times and does nothing if the code is incorrect.

Funny thing, the live support chat form receives the login which has been logged in on skype.com. So the operator, in theory, should see the login of the user he/she talks with. And the strange thing is that operator would accept any account named by anyone and start the procedure.

At this moment we don’t know for sure, how the attacker completes the deleting procedure.

Hey, Microsoft!

It is obvious that the vulnerability exists. Let’s report the problem to Skype.
Such an important vulnerability should be fixed ASAP, shouldn’t it?

Due to the fact that Skype doesn’t have any public contacts for vulnerability reports, I have tried to write on the forum: community.skype.com/t5/Security-Privacy-Trust-and/Vulnerability-allows-to-permanently-delete-any-skype-account-by/td-p/4222445
There was no reaction, but there emerged other victims of this attack.

With the help of my friends, I was able to contact directly with Microsoft employees. I reported them all details about the vulnerability, attached screenshots and code listings. I was then assured that an internal investigation was started. That is Microsoft - a serious company.

However, next month other victims of the same vulnerability contacted me again. Microsoft employees reported that investigation hasn’t been finished yet.

I have tried to report to secure@microsoft.com. It is special email for prompt reaction on critical vulnerabilities. It guarantees 24 hours reply. In the report, I explain all the details of account deletion with attached screenshots.

The answer of Microsoft Security Response Center:

I kept asking about Microsoft internal investigation from their employees. The answer didn’t change. It was constantly no. The story was the same for SIX MONTH!!!

It was known for sure that hacker provides operator with the code. Sometimes with the second or the third attempt. It is a shame but I still don’t know all the details of this process. Firstly I have thought that the code is time dependent and thus hacker tries to request as many codes per minute as possible (it could be seen from email timestamps). However, I couldn’t find a relationship between code and time. It is possible that liveperson.net service was vulnerable.

Recently Skype dropped liveperson.net service and chat with support agent now is on microsoft.com domain. The procedure of Skype account deletion cannot be handled by operator anymore. It should be done manually using web form.

One can think that the vulnerability has been fixed. It isn’t so.

Experiment: I’ll die for your sins

Aforementioned Skype account deleter’s victims contacted me one year after. Emails with Security Code were not sent this time, it was apparently a new method.

Frankly speaking, I’d been fed up with all of this. I’d been tired to implore, eat the dust and beg for fixing the vulns for so many months.

As I wrote before, I’d been using Skype for about ten years. My primary account zhovner is quite the same old. I felt that it’s unfair to witness to other people’s suffering not having walked in the same shoes. Then I decided to conduct an experiment and order the deletion of my own account.

It cost me 2000 RUB (about $30). This time the deleter asked for three days to finish the work. Indeed, I was logged out from Skype in several days and I’ve been never able to log in back.

Chatting with Skype Support

As soon as I got banned, I immediately wrote to the Skype Support. Assuming that my account was blocked using well-known trick with mass spam of report messages, I tried to describe it to tech support staff.

You can see the original of the conversation here
(read from top to bottom). I recommend you to read the original to feel all the humiliation the innocent victims are experiencing.

Short recap

not real conversation, just my rough retelling! Full conversation here https://blog.zhovner.com/Account-blocked-by-mass-abuse-reporting

<Me>Why my account is blocked? I think it is the result of massive fake abuse report spam.

<Skype>Our automated system has blocked your account due to a violation of Skype Terms of Use.

<Me>You have a vulnerability in the system, anyone’s account could be blocked with mass abuse reports, even if there are no violation of rules. My personal account was banned exactly using this scenario. Could you please double check it?

<Skype>We already did the check, our system is perfect and never makes mistakes, we are sure that you had violated the rules. Our system is very precise and all the actions are being tracked, that means that it is definitely your fault, therefore your account will be never unbanned. If you want to continue using the service, just create a new account.

<Me>I have evidence that your system is vulnerable to mass abuse report attacks.

<Skype>No, our system always right, 100% sure.

<Me>OK, could you please tell me the particular actions from my account which lead to the blocking?

<Skype>You have already described the actions in your previous e-mails. You are right, that is the reason why your account was blocked.

<Me>Are you crazy? So now you are admitting that anyone could delete any account just by submitting enough reports? Even if you do not know what are the reasons for the report? You know that these abuses could be made even without adding the person to the contact list. So you can send a report from the account which had never had a conversation with the person, who is he reporting. You are admitting that this kind of vulnerability. Is this even legal? I am planning to go to the court.

<Skype>We think that we gave enough information. You are piece of shit, live with it.

<Me>This vulnerability is totally serious. I believe that you should thoroughly investigate it. I have enough data to reproduce the vulnerability. We can repeat it with your a priori clean account, which does not violate the rules, which you have complete control on. I’ll pay for the removal of this account and you will be able to investigate the problem.

<Skype>We understand that you want to find out the exact reason for deletion of your account. We have already informed you earlier that our automatic assholes detection system is very accurate. Now, you’re an asshole. We have all the logs!

<Me>Well, what if I want to report a vulnerability? Here is a detailed description…

<Skype>Yes, we do not care at all, go to court or police.

Resume

It is already 15 days since my Skype account was banned. With the chat with support log, it is clear that nobody is trying to return my account back. I am really looking forward to recover my account back and call for apology from Skype for all the humiliations I need to get through, trying to make their services more secure.

Unfortunately, Skype is a big bureaucratic machine, which is not able to detect and react to the problems in their service due to poor organization, big and complex management structure. I have no doubt that nothing will change here in the nearest future.

In this article, I have described only problems which I know. I can assume that there exist much more exploits, which are in use, but I have no clue about them.

It is essential to understand that it is not ONLY Skype problem. These issues could be applied to ANY messenger with centralized control, where all security is based upon trust and authority of administration.
If you think that your lovely messenger is much more secure than Skype just because the employees are “good guys”, you are just fooling yourself.
People who have infinite access to the user information could be vulnerable to different kinds of pressure, blackmailing or deception. No one is ready to go to jail or even to give their lives for the safety of users’ messages. As far as unlimited access exists, there will always be a temptation to use this access wrongfully.

Truly secure messenger must be built on the impossibility of unauthorized access on a specification level, not on a trust to any group of people.

На русском "Как Skype уязвимости чинил" https://habr.com/ru/post/316912/

Discussion on HN https://news.ycombinator.com/item?id=13227480